Open Hotel Networks Causing Rash of US Malware Infections

Venafi comments on the human weakness in the security chain as open Wi-Fi networks in public places provide paths for malware infections

“Everyone with an Internet connection has a stake in understanding the critical links in the IT security chain,” said Venafi CEO Jeff Hudson, commenting on the FBI’s warning to travellers who use wireless networks in hotels.

The agency issued the warning in response to a series of incidents in which American travellers downloaded malicious software while connecting to wireless networks in their hotels. The unwitting travellers had clicked to accept what appeared to be routine, legitimate software updates. The resulting malware infestations and subsequent warning prompted Hudson to observe that humans have become the weakest link in the digital defence chain.

Part of this particular problem is the open nature of hotel wireless networks, which operate in notoriously insecure environments to provide hotel guests with easy Internet access.

“The solution is to use encryption to ensure that travellers’ Internet sessions are safe from prying eyes,” Hudson, an IT security expert, asserted. “Before downloading any software, updating existing applications or establishing a connection with a website that requires a user name and password, everyone should review the service provider’s digital certificate and license agreement.” Hudson acknowledged, however, that expecting an assortment of business and vacationing travellers—sales professionals and other non-IT staff, for example—to understand how encryption keys and certificates work “isn’t a realistic option.”

This is where organisations’ IT and security professionals come in. “This warning is a wakeup call for IT pros who manage their organisations’ vast certificate and software-update programs,” Hudson explained.

The pros must understand that, while training end users to safeguard their organisations’ networks is important, road-weary warriors who are short on sleep, in a hurry or slightly under the influence of their nightcaps may forget to follow the correct, secure path to their companies’ email systems and intranets. Unfortunately, this too-human behaviour can jeopardize organisations’ networks and valuable data.

To mitigate these risks, IT professionals must ally policy-enforcement technologies with their security systems, thus mitigating the risk of human error. “To compensate, they need to adopt automated security processes that eliminate the unquantifiable risks that arise from human error and misunderstanding,” Hudson explained. “Organisations that automate and centrally manage security and compliance processes significantly reduce their risks.”

Companies that have centralized IT resources complete with certificates and compliance-enforcement technologies, as most do, can use their servers to automatically enforce secure connections, Hudson further explained. This approach prevents software-update pop-us from affecting employees in their hotel rooms.

“Automated technology and key management systems should make life as easy as possible for the road warriors out there. As well as allowing easy—but secure—access to company email and the Internet, the technology can also manage reputational risk, maximise system availability and help organisations achieve the required regulatory compliance,” Hudson said.

“Factor in other advantages, such as the ability to enforce company and security policies, and secure critical information—plus the capability of recovering from certificate-authority compromises—and you have a secure remote access platform that is a win-win situation on the audit and governance front,” he added.

Concluding his thoughts on the subject, Hudson noted that the FBI’s warning provides an important vehicle for getting the word out about the significant advantages of accepting human frailty as a given and compensating for it by automating security systems—including encryption key and certificate management systems.

“It’s for this reason that we welcome the news that the FBI is alerting business professionals to this high-risk security problem,” Hudson said. “There are security solutions to these issues.”